Re: [ISN] Spam Masquerades as Admin Alerts

From: InfoSec News (isnat_private)
Date: Thu Oct 17 2002 - 22:48:52 PDT

  • Next message: InfoSec News: "[ISN] Backdoor LAN"

    Forwarded from: H C <keydet89at_private>
    Cc: gizmoat_private
    
    > I think there is a bit of confusion in this article.
    > 
    > This practice, from what I have discovered, seems to be specific to
    > the Windows Messaging service, not Windows Messenger (aka Microsoft
    > Messenger or MSN Messenger).
    
    I don't see where you found the "confusion"...McWilliams specifically
    referred to the service and even provided a link to an MS KB article.
     
    > A good firewall, with a proper protection policy enabled, would
    > prevent these pop-ups.
    
    Some of the folks on the public lists have "good firewalls"...but they
    still get hit w/ this stuff.  The reason is b/c some of them have to
    allow DCOM/RPC portmapper (UDP 135) through for a specific purpose.
    
    > Most personal firewalls will do this.  In fact, protecting your
    > NetBIOS ports is a baseline best practice for Windows and other SMB
    > enabled systems.
    
    NetBIOS ports aren't used by the DirectAdvertiser application.  They
    are used by the "net send" command, and the NetMessageBufferSend() API
    (which 'net send' uses)...however the popups most folks are seeing are
    coming in over DCOM/RPC.
    
    Again...I'm not all that clear on where you found "confusion" in the
    article.  To be quite honest, it was relatively clear.  The only folks
    who might be confused by it are those who chose not to read it
    completely.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 01:32:08 PDT